Enabling user authentication on linux against Active Directory, using ubuntu, sssd and AD 2008 (should work with 2003r2)
1. Install the software you need:
apt-get install realmd sssd samba-common samba-common-bin samba-libs sssd-tools krb5-user adcli
2. vi /etc/sssd/sssd.conf and put this in it:
[nss] filter_groups = root filter_users = root reconnection_retries = 3
[pam] reconnection_retries = 3
3. chmod 0600 /etc/sssd/sssd.conf
4. vi /etc/realmd.conf and put this in it:
[service]
automatic-install = no
5. run kinit Administrator@YOURDOMAIN.ALLINCAPS.TLD
6. run realm –verbose join yourdomain.allincaps.tld \
–user-principal=ubuntuserverhostname/Administrator@YOURDOMAIN.ALLINCAPS.TLD –unattended
You should have more content inside sssd.conf now, in the [domain/YOURDOMAIN.ALLINCAPS.TLD] section.
7. vi /etc/sssd/sssd.conf and comment out the line use_fully_qualified_names = True
You should now be able to su – to a domain user.
That’s it, you’re done: you can login to your linux box by authenticating to your Active Directory domain.
Additional (and optional) stuff is below, like adding groups and restricting logins based on groups.
Additional settings inside /etc/sssd/sssd.conf [domain] section to enable groups:
[domain/yourdomain.allincaps.tld] ad_domain = yourdomain.allincaps.tld krb5_realm = YOURDOMAIN.ALLINCAPS.TLD realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True ## comment out #use_fully_qualified_names = True ## these will need to be created manually or you will need to modify pam to ## mkdir them with pam_mkhomedir.so or use oddjob-mkhomedir, see below override_homedir = /home/%u fallback_homedir = /home/%d/%u ##group settings## ldap_group_uuid = objectGUID ldap_user_uuid = objectGUID ldap_group_member = member ldap_user_member_of = memberOf ldap_user_uid_number = uidNumber ldap_group_nesting_level = 1 ldap_force_upper_case_realm = True ldap_user_principal = userPrincipalName ldap_user_object_class = user ldap_user_gid_number = gidNumber ldap_group_modify_timestamp = whenChanged ldap_group_object_class = group ldap_group_name = cn ldap_user_name = sAMAccountName ldap_ns_account_lock = userAccountControl ldap_user_home_directory = unixHomeDirectory ldap_user_modify_timestamp = whenChanged ldap_group_gid_number = gidNumber ldap_referrals = false ldap_group_nesting_level = 0
Test that groups are working by su’ing to an AD user and typing in “groups”, which will show you what groups your user is a member of.
To make the homedirectory autocreate:
1. edit /etc/pam.d/common-session (/etc/pam.d/session-auth in RHEL)and add this line before any pam_ldap or pam_krb5 lines:
#autocreate user homedirs session required pam_mkhomedir.so umask=0022 skel=/etc/skel
To limit login by AD group:
- Create a file that will have the group names allowed to login:
vi /etc/login.allowed.per.ad.group
and populate it with group names, one per line (I created an AD group called linux-login, to limit which users were allowed to login), like so:
root wheel domain\ admins linux-login
- edit /etc/pam.d/common-auth (in RHEL this is /etc/pam.d/system-auth) and add this line to it:
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.allowed.per.ad.group
To allow an AD group to have access to sudo:
- visudo
- add the AD groups
%domain\ admins ALL=(ALL) ALL
%linux-sudo ALL=(ALL) ALL
Further reading:
Allow/Deny login per group:
http://www.cyberciti.biz/tips/howto-deny-allow-linux-user-group-login.html
Various bits, mostly to do with LDAP authentication, but can be translated for use with AD/sssd/pam (e.g. homedir creation)
https://help.ubuntu.com/community/LDAPClientAuthentication
http://www.chriscowley.me.uk/blog/2014/06/17/new-linux-active-directory-integration/
http://funwithlinux.net/2014/04/join-ubuntu-14-04-to-active-directory-domain-using-realmd/
http://linux.tvortex.net/2011/10/sssd-against-active-directory-2003.html
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server